diff options
| author | Romain Gonçalves <me@rgoncalves.se> | 2023-01-09 22:39:47 +0100 |
|---|---|---|
| committer | Romain Gonçalves <me@rgoncalves.se> | 2023-04-02 11:45:09 +0200 |
| commit | 1ff0fc1803fc71d925a0f2d0cf9c27058914044a (patch) | |
| tree | aff689ecd6397f2cf6ae9a4800b5f02b514afe17 | |
| parent | d1924d9c361470556dd1a935137a79bc0df8b099 (diff) | |
| download | rules-1ff0fc1803fc71d925a0f2d0cf9c27058914044a.tar.gz | |
feat(roles/pf): add argument specs
| -rw-r--r-- | group_vars/all.yml | 7 | ||||
| -rw-r--r-- | host_vars/dc0.yml | 10 | ||||
| -rw-r--r-- | roles/pf/defaults/main.yml | 7 | ||||
| -rw-r--r-- | roles/pf/handlers/main.yml | 14 | ||||
| -rw-r--r-- | roles/pf/meta/main.yml | 42 | ||||
| -rw-r--r-- | roles/pf/tasks/main.yml | 27 | ||||
| -rw-r--r-- | roles/pf/templates/pf.conf.j2 | 6 |
7 files changed, 79 insertions, 34 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 63697e8..fc3b760 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -13,7 +13,12 @@ acme_domain_name: "{{ __global_domain_name }}" nfsclient_server: stack0 httpd_use_nfs: true relayd_rules: "{{ __services }}" -pf_rules: "{{ __services }}" +pf_rules: "[ + {% for rule in __services if + 'port' in rule and 'protocol' in rule and 'name' in rule %} + {{ {'name': rule.name, 'port': rule.port, 'protocol': rule.protocol} }}, + {% endfor %} + ]" acme_rules: "{{ __services }}" # playbook specific diff --git a/host_vars/dc0.yml b/host_vars/dc0.yml index 80c7ef5..fc9b3cc 100644 --- a/host_vars/dc0.yml +++ b/host_vars/dc0.yml @@ -13,23 +13,23 @@ __ip: internal: 10.10.0.1 __services: - ssh: + - name: ssh protocol: tcp port: 22 - wireguard: + - name: wireguard protocol: udp port: 53 - http: + - name: http protocol: tcp port: 80 - https: + - name: https protocol: tcp port: 443 - cgit: + - name: cgit domain: git protocol: tcp port: 1235 diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml index 29a53f8..90b4c7e 100644 --- a/roles/pf/defaults/main.yml +++ b/roles/pf/defaults/main.yml @@ -1,13 +1,8 @@ --- pf_rules: null -# name: ... -# protocol: ... -# port: ... -# name: ... -# protocol: ... -# port: ... pf_configuration_file: /etc/pf.conf +pf_test_delay: 2 pf_test_ports: - "{{ ansible_port }}" diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml deleted file mode 100644 index 2d518eb..0000000 --- a/roles/pf/handlers/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: lint pf configuration - ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}" - -- name: enable pf - ansible.builtin.command: pfctl -e - register: pf_result_enable - failed_when: - - pf_result_enable.result.rc != 0 - - "'already enabled' not in pf_result_enabled.result.stderr" - -- name: restart pf - ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}" diff --git a/roles/pf/meta/main.yml b/roles/pf/meta/main.yml new file mode 100644 index 0000000..8a6aa88 --- /dev/null +++ b/roles/pf/meta/main.yml @@ -0,0 +1,42 @@ +--- + +argument_specs: + main: + short_description: pf main entrypoint. + options: + + pf_rules: + type: list + elements: dict + required: true + options: + name: + type: str + required: true + protocol: + type: str + required: true + choices: + - tcp + - udp + description: Network protocol + port: + type: int + required: true + description: Port to be configured + + pf_configuration_file: + type: path + required: true + description: Pf configuration file + + pf_test_delay: + type: int + required: true + description: Pf test delay + + pf_test_ports: + type: list + element: int + required: true + description: Ports to be tested diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 8e81e1c..4fba69e 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -7,14 +7,31 @@ owner: 0 group: 0 mode: "0600" - notify: - - lint pf configuration - - enable pf - - restart pf + register: pf_result_generate_configuration + +- name: lint pf configuration # noqa: no-handler + ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}" + register: pf_result_lint_configuration + changed_when: + - pf_result_generate_configuration.changed + - pf_result_lint_configuration.rc != 0 + +- name: restart pf # noqa: no-handler + ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}" + when: pf_result_generate_configuration.changed - name: test pf rules ansible.builtin.wait_for: port: "{{ item }}" - delay: 2 + delay: "{{ pf_test_delay }}" state: started loop: "{{ pf_test_ports }}" + +- name: enable pf + ansible.builtin.command: pfctl -e + register: pf_result_enable + changed_when: + - "'already enabled' not in pf_result_enable.stderr" + failed_when: + - pf_result_enable.rc != 0 + - "'already enabled' not in pf_result_enable.stderr" diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index e60b4a6..193c9d2 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -11,9 +11,9 @@ block all pass in quick on egress proto tcp to port {{ ansible_port }} # host services -{% for name, rules in pf_rules.items() %} -# {{ name }} -pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }} +{% for rule in pf_rules %} +# {{ rule.name }} +pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }} {% endfor %} # wireguard |